chore: minor refactoring

vaind · vaind · commit 240ed218c242 · 2025-10-29T09:43:15.000+01:00
diff --git a/danger/README.md b/danger/README.md
@@ -76,4 +76,4 @@ module.exports = async function ({ fail, warn, message, markdown, danger }) {
   warn('...');
 }
 
-```
+```
diff --git a/danger/action.yml b/danger/action.yml
@@ -26,10 +26,8 @@ runs:
   steps:
     - name: Checkout repository
       uses: actions/checkout@v4
-      env:
-        API_TOKEN: ${{ inputs.api-token }}
       with:
-        token: ${{ env.API_TOKEN }}
+        token: ${{ inputs.api-token }}
         fetch-depth: 0
 
     # Read the Danger version from the properties file
@@ -41,16 +39,19 @@ runs:
     # Validate extra-install-packages to prevent code injection
     - name: Validate package names
       if: ${{ inputs.extra-install-packages }}
-      shell: bash
+      shell: pwsh
       env:
         EXTRA_INSTALL_PACKAGES: ${{ inputs.extra-install-packages }}
       run: |
-        packages="$EXTRA_INSTALL_PACKAGES"
-        # Only allow alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces
-        if ! echo "$packages" | grep -E '^[a-zA-Z0-9._+-]+( [a-zA-Z0-9._+-]+)*$' > /dev/null; then
-          echo "::error::Invalid package names in extra-install-packages. Only alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces are allowed."
-          exit 1
-        fi
+        # Validate against Debian package naming rules: must start with alphanumeric,
+        # contain only lowercase letters, digits, hyphens, plus signs, periods
+        # Package names cannot start with hyphen or period, and must be reasonable length
+        foreach ($pkg in $env:EXTRA_INSTALL_PACKAGES -split '\s+') {
+          if ($pkg -notmatch '^[a-z0-9][a-z0-9.+-]{0,100}$') {
+            Write-Host "::error::Invalid package name '$pkg'. Debian packages must start with lowercase letter or digit and contain only lowercase letters, digits, hyphens, periods, and plus signs."
+            exit 1
+          }
+        }
 
     # Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
     - name: Setup container
@@ -88,4 +89,9 @@ runs:
       id: danger
       shell: bash
       run: |
-        docker exec --user $(id -u) danger danger ci --fail-on-errors --dangerfile ${{ github.action_path }}/dangerfile.js
+        docker exec --user $(id -u) danger danger ci --fail-on-errors --dangerfile ${{ github.action_path }}/dangerfile.js
+
+    - name: Cleanup container
+      if: always()
+      shell: bash
+      run: docker rm -f danger || true
diff --git a/danger/dangerfile.js b/danger/dangerfile.js
@@ -202,7 +202,7 @@ async function checkFromExternalChecks() {
       const resolvedPath = fs.realpathSync(customPath);
       if (!resolvedPath.startsWith(workspaceDir)) {
         fail(`Invalid dangerfile path: ${extraDangerFilePath}. Must be within workspace.`);
-        return;
+        throw new Error('Security violation: dangerfile path outside workspace');
       }
 
       const extraModule = require(customPath);

Original file line number	Diff line number	Diff line change
`@@ -76,4 +76,4 @@ module.exports = async function ({ fail, warn, message, markdown, danger }) {`
`76`	`76`	`warn('...');`
`77`	`77`	`}`
`78`	`78`
`79`		-```
	`79`	+```
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ async function checkFromExternalChecks() {`
`202`	`202`	`const resolvedPath = fs.realpathSync(customPath);`
`203`	`203`	`if (!resolvedPath.startsWith(workspaceDir)) {`
`204`	`204`	fail(`Invalid dangerfile path: ${extraDangerFilePath}. Must be within workspace.`);
`205`		`- return;`
	`205`	`+ throw new Error('Security violation: dangerfile path outside workspace');`
`206`	`206`	`}`
`207`	`207`
`208`	`208`	`const extraModule = require(customPath);`